Skip to content

Enterprise WAF/SOC feature set (consolidated)#35

Merged
seonghobae merged 14 commits into
mainfrom
all-features
Jul 11, 2026
Merged

Enterprise WAF/SOC feature set (consolidated)#35
seonghobae merged 14 commits into
mainfrom
all-features

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Consolidates nine independently-developed features into one PR (stacked PRs weren't auto-processing). Each was individually built and 100%-covered; combined here to give the gate a single PR to process.

Features

  • Built-in WAF signature catalogGET /api/signatures (redacted; no raw patterns).
  • Offline detection testPOST /api/evaluate scores a synthetic request without proxying.
  • OperabilityGET /api/version, GET /readyz (route-aware k8s readiness → 503 when no enabled route).
  • Event filteringGET /api/events?action=&limit=.
  • Max request body sizeDefaultBodyLimit → 413 (DoS guard), MAX_BODY_BYTES env.
  • Per-route block thresholdRouteConfig.block_threshold overrides global BLOCK_SCORE.
  • Entropy anomaly signal — Shannon-entropy signal added to anomaly_signal (encoded-payload detection).
  • SIEM logging — each SecurityEvent emitted as one JSON line to stdout.
  • DNSBL CIDR matchingDnsblEntry.prefix_len + pure ip_in_network bit-mask.

Verification

  • cargo test42 passed; cargo fmt --check + cargo clippy clean.
  • cargo llvm-cov — 100% line coverage, 0 missed lines (verified locally).

Supersedes #26, #27, #28, #29, #30, #31, #32, #33, #34.

🤖 Generated with Claude Code

https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC

seonghobae and others added 10 commits July 6, 2026 22:15
Enterprise buyers doing security due diligence need to audit what the WAF
detects out of the box; the built-in signatures were only visible in source.
This exposes a redacted catalog over the API.

- SignatureInfo + signature_catalog(): id, class, and severity for each built-in
  signature. The raw match pattern is deliberately omitted so the catalog does
  not hand attackers exact evasion strings.
- GET /api/signatures returns the catalog (26 signatures across sqli, xss,
  path-traversal, command-injection, ssrf, deserialization).

Verified: 33 tests pass (signatures_endpoint_lists_redacted_catalog asserts the
ids/classes are present and the raw patterns are absent); fmt/clippy clean;
llvm-cov 0 missed lines. Live: GET /api/signatures returns 26 entries, no raw
patterns.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
SOC operators need to test payloads against the detection engine and tune rules
without generating live gateway traffic. This scores a synthetic request against
the current threat indicators and DNSBL, returning the score, reason, and whether
it would block — no proxying, no side effects.

- EvaluateRequest{path, query?, body?, client_ip?} -> EvaluateResponse{score,
  reason, would_block}. Reuses score_request over the live detection state.
- GET-safe/read-only, consistent with the other read endpoints.

Verified: 33 tests pass (evaluate_endpoint_scores_payloads_offline covers query
and body payloads, block and benign); fmt/clippy clean; llvm-cov 0 missed lines.
Live-equivalent asserted via the integration test.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
- GET /api/version returns the build name/version for deployment verification.
- GET /readyz is a Kubernetes readiness probe distinct from /healthz (liveness):
  it reports 200 only when the gateway has an enabled route to serve, else 503,
  so k8s stops routing traffic to a misconfigured pod.

Verified: 33 tests pass (version_and_readiness_endpoints covers version, ready
200, and not-ready 503); fmt/clippy clean; llvm-cov 0 missed lines.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
SOC triage needs to slice the event stream. GET /api/events now accepts optional
?action= (e.g. blocked, monitored, rate_limited) and ?limit= (most recent N,
chronological order preserved) query parameters. Unfiltered behaviour is
unchanged.

Verified: 33 tests pass (events_endpoint_filters_by_action_and_limit covers
unfiltered, action filter, and limit); fmt/clippy clean; llvm-cov 0 missed lines.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Unbounded request bodies are a DoS vector. This caps the accepted body size via
axum's DefaultBodyLimit layer so oversized requests get 413 Payload Too Large
before any handler buffers them.

- AppState.max_body_bytes (default 1 MiB) + with_max_body_size builder; wired
  from MAX_BODY_BYTES env in main.rs.
- build_app applies DefaultBodyLimit::max(..) across all routes.

Verified: 33 tests pass (oversized_request_body_is_rejected: 413 over the limit,
accepted under it); fmt/clippy clean; llvm-cov 0 missed lines.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Enterprise deployments need per-endpoint detection sensitivity — a login or
payment route should block at a lower score than a public search. The block
threshold was a single global constant (BLOCK_SCORE = 50).

- RouteConfig.block_threshold: Option<u16> (serde default None = use the global
  BLOCK_SCORE, fully backward compatible with existing state and payloads).
- The gateway blocks when score >= route.block_threshold.unwrap_or(BLOCK_SCORE).
- validate_route rejects a zero threshold (would block everything).

Verified: 33 tests pass (per_route_block_threshold_overrides_global: a route with
threshold 5 blocks a score-10 request while a default-threshold route does not,
plus zero-threshold rejection); fmt/clippy clean; llvm-cov 0 missed lines.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Adds a second, independent statistical signal (Shannon entropy) to anomaly_signal
so the gateway flags encoded/obfuscated payloads that signatures and metacharacter
density miss.

- shannon_entropy(): pure bits/byte calculation (no dependency).
- anomaly_signal combines metacharacter density + high entropy, length-gated at
  40 bytes so ordinary short requests never trip; metacharacter-only reason
  string unchanged for backward compatibility.

Verified: cargo test + fmt/clippy clean; llvm-cov core crate 100%, 0 missed lines.
Live: an encoded blob scores 10 with reason "high entropy ~ bits/byte"; a normal
request stays at 0.

Clean re-submission of #20 (opencode-review concluded failure with no gate finding;
coverage-evidence + strix passed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Emits each recorded SecurityEvent as a single-line JSON record to stdout so a
log collector (Splunk/ELK/Loki/Datadog) ingests it in real time, alongside the
unchanged API surface.

- security_event_log_line(): serializes a SecurityEvent to one JSON line.
- record_event() prints it as the event is recorded.

Clean re-submission of #21 (opencode-review flaky failure with no gate finding),
rebased onto main incl. #19 RBAC.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
DNSBL matching was exact-IP only; a single /24 entry now covers a whole subnet.

- DnsblEntry gains optional prefix_len (serde default None = exact match).
- ip_in_network(): pure bit-mask CIDR check (no dependency); dnsbl_matches()
  dispatches exact vs network; score_request uses it.
- validate_dnsbl rejects a prefix_len wider than the address family.

Verified: cargo test + fmt/clippy clean; llvm-cov patch coverage 100% (incl.
IPv4/IPv6, /0, cross-family, validation bounds). Live: a /24 entry blocks an
in-subnet IP (403) while an out-of-subnet IP passes (200); prefix_len 40 -> 400.

Clean re-submission of #18 (opencode run hung >88min on that head).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
@seonghobae seonghobae enabled auto-merge (squash) July 7, 2026 00:26
@opencode-agent opencode-agent Bot disabled auto-merge July 11, 2026 11:57
Comment thread .github/workflows/codeql.yml Fixed

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode cannot approve yet because required coverage evidence did not pass.

Review outcome

1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence

  • Problem: The required coverage-evidence job result was failure, so OpenCode cannot establish approval sufficiency for this head.

  • Root cause: Automated approval is only valid when the same-head coverage-evidence job proves supported repository test suites passed and configured docstring gates passed or were advisory, or reports not applicable because no supported source files or package manifests exist. Missing, failed, skipped, unavailable, or unsupported-tooling test evidence is a blocker.

  • Fix: Install or configure the repository test/docstring evidence tooling when source files or package manifests exist, rerun the current-head coverage-evidence job, and approve only after it reports success with required evidence or explicit no-source not-applicable evidence.

  • Regression test: Keep the approval branch checking needs.coverage-evidence.result == success before posting APPROVE, and publish REQUEST_CHANGES when coverage-evidence blocker states such as cancelled, skipped, failed, unsupported-tooling, or below-100 evidence are present.

  • Result: REQUEST_CHANGES

  • Reason: coverage-evidence result was failure, so required test/docstring evidence was not proven for current head b093e351e0eb2c1a4b4e8440ebc3d6228e9518fb.

  • Head SHA: b093e351e0eb2c1a4b4e8440ebc3d6228e9518fb

  • Workflow run: 29171597165

  • Workflow attempt: 1

Coverage evidence

Coverage Evidence

  • Head SHA: b093e351e0eb2c1a4b4e8440ebc3d6228e9518fb
  • Required test evidence: supported repository test suites must pass.
  • Required docstring evidence: repository-owned docstring gates must pass when configured; otherwise docstring coverage is advisory.

Python implementation completeness scan

$ python3 /home/runner/work/wardnet/wardnet/scripts/ci/implementation_completeness_scan.py --repo-root . --changed-files /tmp/tmp.WY0DMc6BCP 
# Implementation Completeness Scan

- Checked runtime Python files: 0
- Declaration handling: typing.Protocol, abc.ABC, @abstractmethod, and @overload placeholders are treated as contracts, not executable missing implementations.
- Result: PASS
- Reason: no executable placeholder implementations were found in changed runtime Python files.
  • Result: PASS

Rust coverage tooling (cargo-llvm-cov)

$ cargo install cargo-llvm-cov --locked 
    Updating crates.io index
 Downloading crates ...
  Downloaded cargo-llvm-cov v0.8.7
  Installing cargo-llvm-cov v0.8.7
warning: default toolchain implicitly overridden with `stable-x86_64-unknown-linux-gnu` by rustup toolchain file
  |
  = help: use `cargo +stable install` if you meant to use the stable toolchain
  = note: rustup selects the toolchain based on the parent environment and not the environment of the package being installed
    Updating crates.io index
    Updating crates.io index
 Downloading crates ...
  Downloaded errno v0.3.14
  Downloaded glob v0.3.3
  Downloaded anyhow v1.0.102
  Downloaded aho-corasick v1.1.4
  Downloaded bitflags v2.11.1
  Downloaded xattr v1.6.1
  Downloaded itoa v1.0.18
  Downloaded cargo-config2 v0.1.44
  Downloaded lexopt v0.3.2
  Downloaded cfg-if v1.0.4
  Downloaded shared_thread v0.2.0
  Downloaded lcov2cobertura v1.0.9
  Downloaded unicode-ident v1.0.24
  Downloaded autocfg v1.5.0
  Downloaded opener v0.8.4
  Downloaded duct v1.1.1
  Downloaded serde v1.0.228
  Downloaded filetime v0.2.29
  Downloaded toml v1.1.2+spec-1.1.0
  Downloaded camino v1.2.2
  Downloaded serde_json v1.0.149
  Downloaded walkdir v2.5.0
  Downloaded fs-err v3.3.0
  Downloaded proc-macro2 v1.0.106
  Downloaded serde_core v1.0.228
  Downloaded same-file v1.0.6
  Downloaded serde_spanned v1.1.1
  Downloaded shell-escape v0.1.5
  Downloaded os_pipe v1.2.3
  Downloaded rustc-demangle v0.1.27
  Downloaded shared_child v1.1.1
  Downloaded quote v1.0.45
  Downloaded ruzstd v0.8.3
  Downloaded quick-xml v0.39.4
  Downloaded termcolor v1.4.1
  Downloaded zmij v1.0.21
  Downloaded syn v2.0.117
  Downloaded serde_derive v1.0.228
  Downloaded tar v0.4.45
  Downloaded toml_parser v1.1.2+spec-1.1.0
  Downloaded memchr v2.8.0
  Downloaded bstr v1.12.1
  Downloaded rustix v1.1.4
  Downloaded toml_datetime v1.1.1+spec-1.1.0
  Downloaded regex v1.12.3
  Downloaded regex-syntax v0.8.10
  Downloaded winnow v1.0.2
  Downloaded regex-automata v0.4.14
  Downloaded libc v0.2.186
  Downloaded linux-raw-sys v0.12.1
   Compiling memchr v2.8.0
   Compiling serde_core v1.0.228
   Compiling libc v0.2.186
   Compiling proc-macro2 v1.0.106
   Compiling quote v1.0.45
   Compiling regex-syntax v0.8.10
   Compiling aho-corasick v1.1.4
   Compiling unicode-ident v1.0.24
   Compiling rustix v1.1.4
   Compiling regex-automata v0.4.14
   Compiling anyhow v1.0.102
   Compiling serde v1.0.228
   Compiling winnow v1.0.2
   Compiling autocfg v1.5.0
   Compiling zmij v1.0.21
   Compiling bitflags v2.11.1
   Compiling linux-raw-sys v0.12.1
   Compiling fs-err v3.3.0
   Compiling toml_parser v1.1.2+spec-1.1.0
   Compiling serde_spanned v1.1.1
   Compiling toml_datetime v1.1.1+spec-1.1.0
   Compiling syn v2.0.117
   Compiling camino v1.2.2
   Compiling serde_json v1.0.149
   Compiling cfg-if v1.0.4
   Compiling filetime v0.2.29
   Compiling bstr v1.12.1
   Compiling xattr v1.6.1
   Compiling regex v1.12.3
   Compiling toml v1.1.2+spec-1.1.0
   Compiling serde_derive v1.0.228
   Compiling shared_child v1.1.1
   Compiling os_pipe v1.2.3
   Compiling quick-xml v0.39.4
   Compiling shared_thread v0.2.0
   Compiling itoa v1.0.18
   Compiling rustc-demangle v0.1.27
   Compiling same-file v1.0.6
   Compiling walkdir v2.5.0
   Compiling lcov2cobertura v1.0.9
   Compiling duct v1.1.1
   Compiling cargo-config2 v0.1.44
   Compiling tar v0.4.45
   Compiling opener v0.8.4
   Compiling termcolor v1.4.1
   Compiling ruzstd v0.8.3
   Compiling shell-escape v0.1.5
   Compiling lexopt v0.3.2
   Compiling glob v0.3.3
   Compiling cargo-llvm-cov v0.8.7
    Finished `release` profile [optimized] target(s) in 54.34s
  Installing /home/runner/.cargo/bin/cargo-llvm-cov
   Installed package `cargo-llvm-cov v0.8.7` (executable `cargo-llvm-cov`)
  • Result: PASS

Software Vulkan adapter (Mesa lavapipe) for GPGPU coverage

$ bash -c sudo\ apt-get\ update\ \&\&\ sudo\ apt-get\ install\ -y\ --no-install-recommends\ mesa-vulkan-drivers\ libvulkan1\ vulkan-tools\ \|\|\ true 
Get:1 file:/etc/apt/apt-mirrors.txt Mirrorlist [144 B]
Hit:2 http://azure.archive.ubuntu.com/ubuntu noble InRelease
Get:6 https://packages.microsoft.com/repos/azure-cli noble InRelease [3564 B]
Get:7 https://packages.microsoft.com/ubuntu/24.04/prod noble InRelease [3600 B]
Get:3 http://azure.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:4 http://azure.archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:5 http://azure.archive.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:8 https://dl.google.com/linux/chrome-stable/deb stable InRelease [1825 B]
Get:9 https://packages.microsoft.com/repos/azure-cli noble/main amd64 Packages [2314 B]
Get:10 https://packages.microsoft.com/ubuntu/24.04/prod noble/main amd64 Packages [214 kB]
Get:11 https://packages.microsoft.com/ubuntu/24.04/prod noble/main arm64 Packages [181 kB]
Get:12 https://packages.microsoft.com/ubuntu/24.04/prod noble/main armhf Packages [11.6 kB]
Get:13 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [1092 kB]
Get:14 http://azure.archive.ubuntu.com/ubuntu noble-updates/main Translation-en [269 kB]
Get:15 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 Components [180 kB]
Get:16 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [1660 kB]
Get:17 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [327 kB]
Get:18 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Components [388 kB]
Get:19 http://azure.archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [1225 kB]
Get:20 http://azure.archive.ubuntu.com/ubuntu noble-updates/restricted Translation-en [276 kB]
Get:21 http://azure.archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Components [940 B]
Get:22 http://azure.archive.ubuntu.com/ubuntu noble-backports/main amd64 Components [5760 B]
Get:23 http://azure.archive.ubuntu.com/ubuntu noble-backports/universe amd64 Components [10.5 kB]
Get:24 http://azure.archive.ubuntu.com/ubuntu noble-security/main amd64 Packages [827 kB]
Get:25 http://azure.archive.ubuntu.com/ubuntu noble-security/main Translation-en [187 kB]
Get:26 http://azure.archive.ubuntu.com/ubuntu noble-security/main amd64 Components [44.8 kB]
Get:27 http://azure.archive.ubuntu.com/ubuntu noble-security/main amd64 c-n-f Metadata [11.9 kB]
Get:28 http://azure.archive.ubuntu.com/ubuntu noble-security/universe amd64 Packages [1174 kB]
Get:29 http://azure.archive.ubuntu.com/ubuntu noble-security/universe Translation-en [231 kB]
Get:30 http://azure.archive.ubuntu.com/ubuntu noble-security/universe amd64 Components [76.3 kB]
Get:31 http://azure.archive.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f Metadata [24.2 kB]
Get:32 https://dl.google.com/linux/chrome-stable/deb stable/main amd64 Packages [1215 B]
Fetched 8808 kB in 1s (8036 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
libvulkan1 is already the newest version (1.3.275.0-1build1).
libvulkan1 set to manually installed.
The following NEW packages will be installed:
  mesa-vulkan-drivers vulkan-tools
0 upgraded, 2 newly installed, 0 to remove and 38 not upgraded.
Need to get 17.8 MB of archives.
After this operation, 100 MB of additional disk space will be used.
Get:1 file:/etc/apt/apt-mirrors.txt Mirrorlist [144 B]
Get:2 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 mesa-vulkan-drivers amd64 25.2.8-0ubuntu0.24.04.2 [17.5 MB]
Get:3 http://azure.archive.ubuntu.com/ubuntu noble/universe amd64 vulkan-tools amd64 1.3.275.0+dfsg1-1 [298 kB]
Fetched 17.8 MB in 1s (26.7 MB/s)
Selecting previously unselected package mesa-vulkan-drivers:amd64.
(Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 202701 files and directories currently installed.)
Preparing to unpack .../mesa-vulkan-drivers_25.2.8-0ubuntu0.24.04.2_amd64.deb ...
Unpacking mesa-vulkan-drivers:amd64 (25.2.8-0ubuntu0.24.04.2) ...
Selecting previously unselected package vulkan-tools.
Preparing to unpack .../vulkan-tools_1.3.275.0+dfsg1-1_amd64.deb ...
Unpacking vulkan-tools (1.3.275.0+dfsg1-1) ...
Setting up mesa-vulkan-drivers:amd64 (25.2.8-0ubuntu0.24.04.2) ...
Setting up vulkan-tools (1.3.275.0+dfsg1-1) ...
Processing triggers for libc-bin (2.39-0ubuntu8.7) ...
Processing triggers for man-db (2.12.0-4build2) ...
Not building database; man-db/auto-update is not 'true'.

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
  • Result: PASS

Rust GPGPU coverage adapter

  • Result: PASS
  • Reason: using Mesa lavapipe software Vulkan adapter at /usr/share/vulkan/icd.d/lvp_icd.json so wgpu GPGPU code paths are exercised on the GPU-less runner.

Rust coverage with missing-line report (Cargo.toml)

$ cargo llvm-cov --workspace --all-features --fail-under-lines 100 --show-missing-lines 
info: cargo-llvm-cov currently setting cfg(coverage); you can opt-out it by passing --no-cfg-coverage
 Downloading crates ...
  Downloaded atomic-waker v1.1.2
  Downloaded autocfg v1.5.1
  Downloaded cfg_aliases v0.2.1
  Downloaded fnv v1.0.7
  Downloaded form_urlencoded v1.2.2
  Downloaded bytes v1.12.0
  Downloaded tracing-core v0.1.36
  Downloaded writeable v0.6.3
  Downloaded bit-vec v0.8.0

## Changed-File Evidence Map

```mermaid
flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow: codeql.yml"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow: codeql.yml"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Changed file (7 files)"]
  S2 --> I2["repository behavior"]
  I2 --> R2["Review risk: Changed file (7 files)"]
  R2 --> V2["required checks"]
  Evidence --> S3["Test: binary.rs"]
  S3 --> I3["regression suite"]
  I3 --> R3["Review risk: Test: binary.rs"]
  R3 --> V3["targeted test run"]

@github-actions

github-actions Bot commented Jul 11, 2026

Copy link
Copy Markdown

OpenCode Review Overview

  • Head SHA: bf1c36cdfa36710cfbde1f56dad4dee60d0a6ebc
  • Workflow run: 29171815115
  • Workflow attempt: 1
  • Gate result: APPROVE (approval step)

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including Cargo.lock, crates/waf-ids-core/src/lib.rs, crates/waf-ids-core/tests/fuzz_invariants.rs, fuzz/fuzz_targets/fuzz_dnsbl_zone.rs, fuzz/fuzz_targets/fuzz_score_request.rs, and 3 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects Cargo.lock to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: PR consolidates WAF/SOC features with robust validation and security enhancements.
  • Head SHA: bf1c36cdfa36710cfbde1f56dad4dee60d0a6ebc
  • Workflow run: 29171815115
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Changed file (7 files)"]
  S1 --> I1["repository behavior"]
  I1 --> R1["Review risk: Changed file (7 files)"]
  R1 --> V1["required checks"]
  Evidence --> S2["Test: binary.rs"]
  S2 --> I2["regression suite"]
  I2 --> R2["Review risk: Test: binary.rs"]
  R2 --> V2["targeted test run"]
Loading

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including Cargo.lock, crates/waf-ids-core/src/lib.rs, crates/waf-ids-core/tests/fuzz_invariants.rs, fuzz/fuzz_targets/fuzz_dnsbl_zone.rs, fuzz/fuzz_targets/fuzz_score_request.rs, and 3 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects Cargo.lock to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: PR consolidates WAF/SOC features with robust validation and security enhancements.
  • Head SHA: bf1c36cdfa36710cfbde1f56dad4dee60d0a6ebc
  • Workflow run: 29171815115
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Changed file (7 files)"]
  S1 --> I1["repository behavior"]
  I1 --> R1["Review risk: Changed file (7 files)"]
  R1 --> V1["required checks"]
  Evidence --> S2["Test: binary.rs"]
  S2 --> I2["regression suite"]
  I2 --> R2["Review risk: Test: binary.rs"]
  R2 --> V2["targeted test run"]
Loading

@seonghobae seonghobae dismissed github-actions[bot]’s stale review July 11, 2026 23:38

Dismiss stale old-head review after current head passed checks and current-head OpenCode approval is present.

@seonghobae seonghobae enabled auto-merge (squash) July 11, 2026 23:38
@seonghobae seonghobae merged commit 18ac594 into main Jul 11, 2026
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants